<?xml version="1.0" encoding="utf-8" ?>
<Rules FriendlyName="ASP.NET.Security.Configuration">
  <Rule TypeName="DebugCompilationMustBeDisabled" Category="ASP.NET.Security.Configuration" CheckId="CA5400">
    <Name>DebugCompilationMustBeDisabled</Name>
    <Description>Verifies that debug compilation is turned off. This eliminates potential performance and security issues related to debug code enabled and additional extensive error messages being returned.</Description>
    <Url></Url>
    <Resolution>
      The violation can be fixed by configuring the system.web.compilation debug attribute to false or by leaving the default value.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <compilation debug="false"/>
 </system.web>
</configuration>
]]>.
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5400:DebugCompilationMustBeDisabled", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalError</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="CustomErrorPageShouldBeSpecified" Category="ASP.NET.Security.Configuration" CheckId="CA5401">
    <Name>CustomErrorPageShouldBeSpecified</Name>
    <Description>Verifies that the CustomErrors section is configured to have a default url for redirecting uses in case of error.</Description>
    <Url>http://msdn2.microsoft.com/en-us/library/h0hfz6fc(vs.71).aspx</Url>
    <Resolution>
      The violation can be fixed by setting the system.web.customErrors mode attribute to On or RemoteOnly.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <customErrors mode="On" defaultRedirect="/Error.aspx"/>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5401:CustomErrorPageShouldBeSpecified", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="FormAuthenticationShouldNotContainFormAuthenticationCredentials" Category="ASP.NET.Security.Configuration" CheckId="CA5402">
    <Name>FormAuthenticationShouldNotContainFormAuthenticationCredentials</Name>
    <Description>The rule verifies that no credentials are specified under the form authentication configuration.</Description>
    <Url>http://msdn2.microsoft.com/en-us/library/ms998367.aspx </Url>
    <Resolution>
      The violation can be resolved by removing the system.web.authentication.forms.credential nodes.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <authentication mode="Forms">
   <forms>
   </forms>
  </authentication>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5402:FormAuthenticationShouldNotContainFormAuthenticationCredentials, Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalError</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="EnableCrossAppRedirectsShouldBeTrue" Category="ASP.NET.Security.Configuration" CheckId="CA5403">
    <Name>EnableCrossAppRedirectsShouldBeTrue</Name>
    <Description>The rule verifies that the system.web.authentication.forms enableCrossAppRedirects is set to true. The settings indicate if the user should be redirected to another application url after the authentication process. If the setting is false, the authentication process will not allow redirection to another application or host. This helps prevent an attacker to force the user to be redirected to another site during the authentication process. This attack is commonly called Open redirect and is used mostly during phishing attacks.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.enablecrossappredirects.aspx </Url>
    <Resolution>
      The violation can be fixed by leaving the system.web.authentication.forms enableCrossAppRedirects to its default value or by setting it to false.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <authentication mode="Forms">
   <forms loginUrl="~/login.aspx" protection="All" requireSSL="true" enableCrossAppRedirects="false"/>
  </authentication>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5403:EnableCrossAppRedirectsShouldBeTrue, Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">Warning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="FormAuthenticationProtectionShouldBeAll" Category="ASP.NET.Security.Configuration" CheckId="CA5404">
    <Name>FormAuthenticationProtectionShouldBeAll</Name>
    <Description>The rule verifies that the protection attribute on the system.web.authentication.forms protection is set to All which specifies that the application use both data validation and encryption to help protect the authentication cookie.</Description>
    <Url>http://msdn2.microsoft.com/en-us/library/ms998367.aspx</Url>
    <Resolution>
      The violation can be fixed by leaving the system.web.authentication.forms protection to its default value or by setting it to All.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <authentication mode="Forms">
   <forms loginUrl="~/login.aspx" protection="All" requireSSL="true"/>
  </authentication>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5404:FormAuthenticationProtectionShouldBeAll, Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="FormAuthenticationRequireSSLShouldBeTrue" Category="ASP.NET.Security.Configuration" CheckId="CA5405">
    <Name>FormAuthenticationRequireSSLShouldBeTrue</Name>
    <Description>The rule verifies that the requireSSL attribute on the system.web.authentication.forms configuration element is set to True which force the authentication cookie to specify the secure attribute. This indicates the browser to only provide the cookie over SSL.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl.aspx</Url>
    <Resolution>
      The violation can be fixed by setting the system.web.authentication.forms requireSSL to true.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <authentication mode="Forms">
   <forms loginUrl="~/login.aspx" protection="All" requireSSL="true"/>
  </authentication>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5405:FormAuthenticationRequireSSLShouldBeTrue", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="FormAuthenticationSlidingExpirationShouldBeFalse" Category="ASP.NET.Security.Configuration" CheckId="CA5406">
    <Name>FormAuthenticationSlidingExpirationShouldBeFalse</Name>
    <Description>The rule verifies that if the system.web.authentication.forms slidingExpiration be set to false when the site is being serviced over HTTP. This will force the authentication cookie to have a fix timeout value instead of being refreshed by each request. Since the cookie will traverse over clear text network and can be sniffed, having a fix timeout value on the cookie will limit the amount of time the cookie can be replayed. If the cookie is traversing over HTTPS, it is less likely to be intercepted and having the slidingExpiration setting to True will cause the timeout to be refreshed after each request which gives a better user experience.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl.aspx</Url>
    <Resolution>
      The violation can be fixed by setting the system.web.authentication.forms slidingExpiration to false if the application is not being services over HTTPS.
      <![CDATA[
Examples:
1. system.web.authentication.forms requireSSL is set to True and slidingExpiration is set to False
<configuration>
 <system.web>
  <authentication mode="Forms">
   <forms loginUrl="~/login.aspx" protection="All" requireSSL="true" slidingExpiration="false"/>
  </authentication>
 </system.web>
</configuration>

2. system.web.authentication.forms requireSSL is set to True and slidingExpiration is set to True
<configuration>
 <system.web>
  <authentication mode="Forms">
   <forms loginUrl="~/login.aspx" protection="All" requireSSL="true" slidingExpiration="true"/>
  </authentication>
 </system.web>
</configuration>

3. system.web.authentication.forms requireSSL is set to its default value, False, and slidingExpiration is set to false
<configuration>
 <system.web>
  <authentication mode="Forms">
   <forms loginUrl="~/login.aspx" protection="All" slidingExpiration="false"/>
  </authentication>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5406:FormAuthenticationSlidingExpirationShouldBeFalse, Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">Warning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="HttpCookiesHttpOnlyCookiesShouldBeTrue" Category="ASP.NET.Security.Configuration" CheckId="CA5407">
    <Name>HttpCookiesHttpOnlyCookiesShouldBeTrue</Name>
    <Description>The rule verifies that the system.web.httpCookies httpOnlyCookies configuration is set to True which force all cookies to be sent with the HttpOnly attribute.</Description>
    <Url>http://msdn2.microsoft.com/en-us/library/ms228262.aspx</Url>
    <Resolution>
      The violation can be fixed by setting the system.web.httpCookies httpOnlyCookies to true.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <httpCookies requireSSL="true" httpOnlyCookies="true"/>
 </system.web>
</configuration>
]]>.
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5407:HttpCookiesHttpOnlyCookiesShouldBeTrue", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="HttpCookiesRequireSSLShouldBeTrue" Category="ASP.NET.Security.Configuration" CheckId="CA5408">
    <Name>HttpCookiesRequireSSLShouldBeTrue</Name>
    <Description>The rule verifies that the system.web.httpCookies requireSSL configuration is set to True which force all cookies to be sent with the secure attribute. This indicates the browser to only provide the cookie over SSL.</Description>
    <Url>http://msdn2.microsoft.com/en-us/library/ms228262.aspx</Url>
    <Resolution>
      The violation can be fixed by setting the system.web.httpCookies requireSSL to true if the application is serviced over HTTPS.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <httpCookies requireSSL="true" httpOnlyCookies="true"/>
 </system.web>
</configuration>
]]>.
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5408:HttpCookiesRequireSSLShouldBeTrue", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="TraceShouldBeDisabled" Category="ASP.NET.Security.Configuration" CheckId="CA5409">
    <Name>TraceShouldBeDisabled</Name>
    <Description>The rule verifies that the system.web.trace enabled setting is set to false which disable tracing. It is recommended to disable tracing on production servers to make sure that an attacker cannot gain information from the trace about your application. Trace information can help an attacker probe and compromise your application.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/6915t83k.aspx</Url>
    <Resolution>
      The violation can be fixed by leaving system.web.trace enabled to its default value, false, or by explicitly setting it to false.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <trace enabled="false"/>
 </system.web>
</configuration>
]]>.
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5409:TraceShouldBeDisabled", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="AnonymousAccessIsEnabled" Category="ASP.NET.Security.Configuration" CheckId="CA5410">
    <Name>AnonymousAccessIsEnabled</Name>
    <Description>Looks in the web.config file to see if the authorization section allows anonymous access.</Description>
    <Url>http://msdn2.microsoft.com/en-us/library/ms998367.aspx </Url>
    <Resolution>
      The violation can be fixed by including a global deny section for all users by setting the user attribute of the deny section to ? which represent all anonymous users.
      <![CDATA[
Example :
<configuration>
 <system.web>
  <authorization>
   <allow users="Kim"/>
   <allow roles="Admins"/>
   <!-- Deny all anonymous users-->
   <deny users="?"/>
  </authorization>
 </system.web>
</configuration>
]]>.
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5410:AnonymousAccessIsEnabled", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">Warning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="RoleManagerCookieProtectionShouldBeAll" Category="ASP.NET.Security.Configuration" CheckId="CA5411">
    <Name>RoleManagerCookieProtectionShouldBeAll</Name>
    <Description>The rule verifies that the system.web.rolemanager cookieProtection is set to All which enforce both the cookie to be encrypted and validated by the server.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/system.web.security.roles.cookieprotectionvalue.aspx</Url>
    <Resolution>
      The violation can be fixed by leaving system.web.rolemanager cookieProtection to its default value or setting it to All.
      <![CDATA[
Example :
<configuration>
 <system.web>	
  <roleManager enabled="true" cookieProtection="All"/>
 </system.web>
</configuration>
]]>.
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5411:RoleManagerCookieProtectionShouldBeAll", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="RoleManagerCookieRequireSSLShouldBeTrue" Category="ASP.NET.Security.Configuration" CheckId="CA5412">
    <Name>RoleManagerCookieRequireSSLShouldBeTrue</Name>
    <Description>The rule verifies that the system.web.rolemanager cookieRequireSSL attribute is set to True which force the role manager cookie to specify the secure attribute. This indicates the browser to only provide the cookie over SSL.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/system.web.security.roles.cookierequiressl.aspx</Url>
    <Resolution>
      The violation can be fixed by setting the system.web.rolemanager cookieRequireSSL to true.
      <![CDATA[
<configuration>
 <system.web>
  <roleManager enabled="true" cookieRequireSSL="true"/>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5412:RoleManagerCookieRequireSSLShouldBeTrue", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="RoleManagerCookieSlidingExpirationShouldBeFalse" Category="ASP.NET.Security.Configuration" CheckId="CA5413">
    <Name>RoleManagerCookieSlidingExpirationShouldBeTrue</Name>
    <Description>
      The rule verifies that if the system.web.rolemanager cookieSlidingExpiration is set to false when the site is being serviced over HTTP. This will force the authentication cookie to have a fix timeout value instead of being refreshed by each request. Since the cookie will traverse over clear text network and can be sniffed, having a fix timeout value on the cookie will limit the amount of time the cookie can be replayed.
      If the cookie is traversing over HTTPS, it is less likely to be intercepted and having the cookieSlidingExpiration setting to True will cause the timeout to be refreshed after each request which gives a better user experience.
    </Description>
    <Url>http://msdn.microsoft.com/en-us/library/system.web.security.roles.cookieslidingexpiration.aspx</Url>
    <Resolution>
      The violation can be fixed by setting the system.web.rolemanager cookieSlidingExpiration to false when the application is not being serviced over HTTPS.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <roleManager enabled="true" cookieRequireSSL="true" cookieSlidingExpiration="false"/>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5413:RoleManagerCookieSlidingExpirationShouldBeFalse", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">Warning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="PagesEnableViewStateMacShouldBeTrue" Category="ASP.NET.Security.Configuration" CheckId="CA5414">
    <Name>PagesEnableViewStateMacShouldBeTrue</Name>
    <Description>Verifies that the viewstate mac is enabled.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/950xf363.aspx</Url>
    <Resolution>
      The enableViewStateMac should be set to true.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <pages enableViewStateMac="true"/>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5414:PagesEnableViewStateMacShouldBeTrue", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="PagesEnableEventValidationMustBeTrue" Category="ASP.NET.Security.Configuration" CheckId="CA5415">
    <Name>PagesEnableEventValidationMustBeTrue</Name>
    <Description>Verify if event validation is enabled.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/950xf363.aspx</Url>
    <Resolution>
      The enableEventValidation should be set to true.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <pages enableEventValidation="true"/>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5415:PagesEnableEventValidationMustBeTrue", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="HttpRuntimeEnableHeaderCheckingShouldBeTrue" Category="ASP.NET.Security.Configuration" CheckId="CA5416">
    <Name>HttpRuntimeEnableHeaderCheckingShouldBeTrue</Name>
    <Description>The rule verifies that the system.web.httpRuntime enableHeaderChecking attribute is set to true. From http://msdn.microsoft.com/en-us/library/e1f13641.aspx. The setting indicates whether ASP.NET should check the request header for potential injection attacks. If an attack is detected, ASP.NET responds with an error. This forces ASP.NET to apply the ValidateRequest protection to headers sent by the client. If an attack is detected the application throws HttpRequestValidationException.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/e1f13641.aspx</Url>
    <Resolution>
      The violation can be fixed by leaving system.web.httpRuntime enableHeaderChecking to its default value or setting it to True.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <httpRuntime enableHeaderChecking="true"/>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5416:HttpRuntimeEnableHeaderCheckingShouldBeTrue, Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="PagesValidateRequestShouldBeEnabled" Category="ASP.NET.Security.Configuration" CheckId="CA5417">
    <Name>PagesValidateRequestShouldBeEnabled</Name>
    <Description>Verify that validateRequest is enabled.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/950xf363.aspx</Url>
    <Resolution>
      The system.web.pages validateRequest attribute should be set to true.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <pages validateRequest="true"/>
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5417:PagesValidateRequestShouldBeEnabled", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="PagesViewStateEncryptionModeShouldBeAlways" Category="ASP.NET.Security.Configuration" CheckId="CA5418">
    <Name>PagesViewStateEncryptionModeShouldBeAlways</Name>
    <Description>Verify that the viewstate encryption mode is not configured to never encrypt.</Description>
    <Url>http://msdn.microsoft.com/en-us/library/950xf363.aspx</Url>
    <Resolution>
      The system.web.pages viewStateEncryptionMode attribute should be set to Always.
      <![CDATA[
Example:
<configuration>
 <system.web>
  <pages viewStateEncryptionMode="Always"/>
  </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5418:PagesViewStateEncryptionModeShouldBeAlways", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">Error</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
  <Rule TypeName="CustomErrorsModeShouldBeOn" Category="ASP.NET.Security.Configuration" CheckId="CA5419">
    <Name>CustomErrorsModeShouldBeOn</Name>
    <Description>The rule verifies that the system.web.customErrors mode is set to On or RemoteOnly. This disable detailed error message returned by ASP.NET to remote users.</Description>
    <Url>http://msdn2.microsoft.com/en-us/library/h0hfz6fc(vs.71).aspx </Url>
    <Resolution>
      The violation can be fixed by setting the system.web.customErrors mode attribute to On or RemoteOnly.
      <![CDATA[
Example :
<configuration>
 <system.web>
  <customErrors mode="On" />
 </system.web>
</configuration>

or
 
<configuration>
 <system.web>
  <customErrors mode="RemoteOnly" />
 </system.web>
</configuration>
]]>
      To suppress this issue you need to add the following SupressMessageAttribute:
      [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("ASP.NET.Security.Configuration","CA5419:CustomErrorsModeShouldBeOn", Target="/Public/web.config")]
      Where the Target property is set to the location of the web.config containing the violation.
    </Resolution>
    <Email></Email>
    <MessageLevel Certainty="100">CriticalWarning</MessageLevel>
    <FixCategories>NonBreaking</FixCategories>
    <Owner />
  </Rule>
</Rules>
